Thread: Wiki
I've moved (well, copied) the web page to https://wiki.postgresql.org/wiki/Apt https://wiki.postgresql.org/wiki/Apt/FAQ Comments and edits welcome :) I plan to redirect pgapt.debian.net/index.html there. (I'll also try if apt likes redirects from there to the new archive location. Hopefully it does, or else we need to figure out how to convince users to switch once we go official...) Christoph -- cb@df7cb.de | http://www.df7cb.de/
Attachment
Did I mention the new pgdg-keyring package here yet? Feedback is welcome - I'm still pondering which of "pinning" and "sources list entry" should be part of the package, and what to use as defaults there for the debconf questions. The current plan would be to add a pinning question, but default to "no" (principle of least surprise for the casual user). We also need to investigate how well the package works when there's already a copy of the key in /etc/apt/trusted.gpg - which is the case when wget -O - http://apt.postgresql.org/pub/repos/apt/ACCC4CF8.asc | sudo apt-key add - is used, while pgdg-keyring installs /etc/apt/trusted.gpg.d/apt.postgresql.org.gpg [*]. Possibly we need to wipe the trusted.gpg version when the package is installed. Christoph [*] Should I rather call that pgdg.gpg? -- cb@df7cb.de | http://www.df7cb.de/
Attachment
On Sun, Nov 18, 2012 at 1:50 PM, Christoph Berg <cb@df7cb.de> wrote: > I've moved (well, copied) the web page to > > https://wiki.postgresql.org/wiki/Apt > https://wiki.postgresql.org/wiki/Apt/FAQ > > Comments and edits welcome :) The instructions under Quickstart. Does that lead to the "backports style" handling of the packages, or the "full apt.pg.org overrides" method? > I plan to redirect pgapt.debian.net/index.html there. > > (I'll also try if apt likes redirects from there to the new archive > location. Hopefully it does, or else we need to figure out how to > convince users to switch once we go official...) One way is to just break it. Then peoplew ill have to :) As long as it's trivial to change over, it might be worth taking that pain early on. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
On Sun, Nov 18, 2012 at 1:55 PM, Christoph Berg <cb@df7cb.de> wrote: > Did I mention the new pgdg-keyring package here yet? Nope. > Feedback is welcome - I'm still pondering which of "pinning" and > "sources list entry" should be part of the package, and what to use as > defaults there for the debconf questions. The current plan would be to > add a pinning question, but default to "no" (principle of least > surprise for the casual user). I still argue that the default should be "yes", with the exact same argument about principle of least surprise :) But that could be because I misunderstand the actual question? > We also need to investigate how well the package works when there's > already a copy of the key in /etc/apt/trusted.gpg - which is the case > when > > wget -O - http://apt.postgresql.org/pub/repos/apt/ACCC4CF8.asc | sudo apt-key add - > > is used, while pgdg-keyring installs > /etc/apt/trusted.gpg.d/apt.postgresql.org.gpg [*]. Possibly we need to > wipe the trusted.gpg version when the package is installed. Yeah, I think we can expect a number of people to have done that already. And certainly some who prefer doing it that way. But surely the system must cope with keys being installed more than once? More interesting is really what happens if you have two copies of the key - and only one of them is renewsed for exmaple.. > [*] Should I rather call that pgdg.gpg? No, I think that is a good name. It shows it's a key for the apt repository specifically. There is a different GPG key used for the yum repo, for example. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
Re: Magnus Hagander 2012-11-18 <CABUevEwMsgaBc=K_HdCB6Xx4FxLU82weZhsVhxEDbDFDObj92g@mail.gmail.com> > > Comments and edits welcome :) > > The instructions under Quickstart. Does that lead to the "backports > style" handling of the packages, or the "full apt.pg.org overrides" > method? Full pgdg experience. > > (I'll also try if apt likes redirects from there to the new archive > > location. Hopefully it does, or else we need to figure out how to > > convince users to switch once we go official...) > > One way is to just break it. Then peoplew ill have to :) As long as > it's trivial to change over, it might be worth taking that pain early > on. That might even be the better version in the "redirects work" case, or else I need to keep that vhost around forever... Christoph -- cb@df7cb.de | http://www.df7cb.de/
Attachment
Re: Magnus Hagander 2012-11-18 <CABUevExbHLugeMJ_jd14s=CnErwxvKw=bMwyoOPBF2-5Xq0GVw@mail.gmail.com> > > Feedback is welcome - I'm still pondering which of "pinning" and > > "sources list entry" should be part of the package, and what to use as > > defaults there for the debconf questions. The current plan would be to > > add a pinning question, but default to "no" (principle of least > > surprise for the casual user). > > I still argue that the default should be "yes", with the exact same > argument about principle of least surprise :) > > But that could be because I misunderstand the actual question? Nah, it is the same discussion as we had at my place. I'm kind of included to get the pgdg-keyring package included in Debian itself, so we have an easy trust path. In Debian, the question of "prefer pgdg" defaults might be different, but we certainly don't want to maintain two versions of the same package, just with different defaults. I'll keep thinking about it :) > But surely the system must cope with keys being installed more than > once? More interesting is really what happens if you have two copies > of the key - and only one of them is renewsed for exmaple.. That's the actual question. If we provide a new (renewed) key in the package, apt (or gpg) must not get confused by the other copy. (The fix is probably to remove the "manual" key on installation of the pgdg-keyring package.) > > [*] Should I rather call that pgdg.gpg? > > No, I think that is a good name. It shows it's a key for the apt > repository specifically. There is a different GPG key used for the yum > repo, for example. Well, we are using "pgdg" in lots of other places, so we should (could?) probably use it here too. Christoph -- cb@df7cb.de | http://www.df7cb.de/
Attachment
On Sun, Nov 18, 2012 at 4:33 PM, Christoph Berg <cb@df7cb.de> wrote: > Re: Magnus Hagander 2012-11-18 <CABUevEwMsgaBc=K_HdCB6Xx4FxLU82weZhsVhxEDbDFDObj92g@mail.gmail.com> >> > Comments and edits welcome :) >> >> The instructions under Quickstart. Does that lead to the "backports >> style" handling of the packages, or the "full apt.pg.org overrides" >> method? > > Full pgdg experience. 1) good. 2) should we perhaps explicitly note that this will have the effect of preferring the pgdg packages over the ones that are in the distribution by default? for those who don't really know how pinning works. >> > (I'll also try if apt likes redirects from there to the new archive >> > location. Hopefully it does, or else we need to figure out how to >> > convince users to switch once we go official...) >> >> One way is to just break it. Then peoplew ill have to :) As long as >> it's trivial to change over, it might be worth taking that pain early >> on. > > That might even be the better version in the "redirects work" case, or > else I need to keep that vhost around forever... Yeah. Though having a redirect in place for a while before breaking it is probably a pretty good middle ground... -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
On Sun, Nov 18, 2012 at 4:39 PM, Christoph Berg <cb@df7cb.de> wrote: > Re: Magnus Hagander 2012-11-18 <CABUevExbHLugeMJ_jd14s=CnErwxvKw=bMwyoOPBF2-5Xq0GVw@mail.gmail.com> >> > Feedback is welcome - I'm still pondering which of "pinning" and >> > "sources list entry" should be part of the package, and what to use as >> > defaults there for the debconf questions. The current plan would be to >> > add a pinning question, but default to "no" (principle of least >> > surprise for the casual user). >> >> I still argue that the default should be "yes", with the exact same >> argument about principle of least surprise :) >> >> But that could be because I misunderstand the actual question? > > Nah, it is the same discussion as we had at my place. I'm kind of > included to get the pgdg-keyring package included in Debian itself, so > we have an easy trust path. In Debian, the question of "prefer pgdg" > defaults might be different, but we certainly don't want to maintain > two versions of the same package, just with different defaults. > > I'll keep thinking about it :) Aha. I can see it being a more controversial thing to do if you want to push it into Debian itself. Speaking of which, is the name pgdg-keyring really the right one? If it *only* adds the key to the keyring it seems correct, but if it also adds a repository to your server it seems like a bad name for the package? >> But surely the system must cope with keys being installed more than >> once? More interesting is really what happens if you have two copies >> of the key - and only one of them is renewsed for exmaple.. > > That's the actual question. If we provide a new (renewed) key in the > package, apt (or gpg) must not get confused by the other copy. (The > fix is probably to remove the "manual" key on installation of the > pgdg-keyring package.) Yeah, unless it's smart enough to recognize which key is valid and only use that one. As you say, some testing is probably required :) >> > [*] Should I rather call that pgdg.gpg? >> >> No, I think that is a good name. It shows it's a key for the apt >> repository specifically. There is a different GPG key used for the yum >> repo, for example. > > Well, we are using "pgdg" in lots of other places, so we should > (could?) probably use it here too. We could. But I think calling it apt.postgresql.org.gpg is more clear :) -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/